Tag: Magic Unicorn

If you have been wondering why many PowerShell based shells haven’t been working, you can thank Windows’ AMSI. If you still need to use PowerShell based shells, check out the latest version of Trusted Sec’s Magic Unicorn tool.

According to Microsoft, the Antimalware Scan Interface (AMSI) is an interface that “provides enhanced malware protection for users and their data, applications, and workloads”. A newer piece to the Anti-Virus bypass cat and mouse game. Just as there is with regular anti-virus, there has been an almost constant battle between AMSI and utilities to bypass its ability to catch and block PowerShell based remote shells.

The TrustedSec team has been very active in updating their “Magic Unicorn” PowerShell tool to evade AV and AMSI, and this is evident in their latest Unicorn update.

When you run Magic Unicorn, you are given a complete set of usage examples. More information is available on the GitHub site, so I am not going to discuss tool usage. Though generated payloads can be found in the /unicorn directory.

Magic Unicorn usage features

The big question, does it work?

That would be a yes:

Remote PowerShell shell with Magic Unicorn

Best defenses against attacks like this is to be very leery
of e-mail attachments & suspicious links. Protect physical access to your
computers. Disable or remove old PowerShell versions. Enable PowerShell monitoring. Install all
Windows & AV updates. Run a good network security program. Also, a good
Network Security Monitoring system is always helpful in case the worse happens.